Apple on Thursday released a large batch of security fixes for its OS X operating system, one of which patches a flaw thatallowed Java Web Start applications to run even when users had Java disabled in the browser (https://threatpost.com/en_us/blogs/apple-fixes-os-x-flaw-allowed-java-apps-run-plugin-disabled-031513). There have been a slew of serious vulnerabilities in Java disclosed in the last few months, and security experts have been recommending that users disable Java in their various browsers as a protection mechanism. However, it appears that measure wasn't quite enough to protect users of some versions of OS X.

http://apple.slashdot.org/story/13/03/16/0143243/apple-nabs-java-exploit-that-bypassed-disabled-plugin